Spyware.KsLogger

Behavior

Spyware.KsLogger is a spyware program that logs keystrokes and keeps logs of programs that you run on your computer.

Symptoms

The files are detected as Spyware.KsLogger.

Behavior

Spyware.KsLogger must be manually installed.

Antivirus Protection Dates

Initial Rapid Release version
02 October 2014 revision 022

Latest Rapid Release version
01 February 2015 revision 020

Initial Daily Certified version
01 July 2004

Latest Daily Certified version
09 February 2011 revision 021

Initial Weekly Certified release date
07 July 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Spyware.KsLogger runs, it performs the following actions:

Creates the following files in the folder that the individual running the installation can select:

Kslogger.exe: This file configures the Key Logger.

Sys007dll.dll: This file sets up the environment for Key Logger.

Sys007s.exe: This file does the Key Logging.

Allows the person running the installation to select the following options:

The location of the keystroke log file: The default location is C:\X.tmp.

Turns On/Off the logging of the names of all opened windows.

The location of the file for logging the names of all the opened windows. The default location is C:\X.tmp.

The duration between logging the names of all the opened windows.

Adds the subkey:

Sys007s

to the registry key:

HKEY_CURRENT_USER\SOFTWARE

Adds the subkey:

Setting

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Sys007s

and adds the following values to the subkey:

"file"="C:\x.tmp" "winfile"="C:\x.tmp"

Adds the subkey:

Settings

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Sys007s

and adds the following values to the subkey:

"getwins"="n" or "getwins"="y" "timer"=""

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

Update the definitions.

Restart the computer in Safe mode.

Run a full system scan and delete all the files detected as Spyware.KsLogger.

Delete the values that were added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode
."

Notes: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.

4. To delete the value from the registry

WARNING:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry
," for instructions.